nixos/ssh: allow UsePAM to be disabled

2024-04-21 22:51:02 +10:00 · 2024-04-21 22:51:02 +10:00 · 2e51a2fd03
parent 41911ed9d2
commit 2e51a2fd03
2 changed files with 30 additions and 3 deletions
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@ -346,6 +346,7 @@ in
                violates the privacy of users and is not recommended.
              '';
            };
+            UsePAM = mkEnableOption "PAM authentication" // { default = true; };
            UseDns = mkOption {
              type = types.bool;
              # apply if cfg.useDns then "yes" else "no"
@ -622,7 +623,7 @@ in

    networking.firewall.allowedTCPPorts = optionals cfg.openFirewall cfg.ports;

-    security.pam.services.sshd =
+    security.pam.services.sshd = lib.mkIf cfg.settings.UsePAM
      { startSession = true;
        showMotd = true;
        unixAuth = cfg.settings.PasswordAuthentication;
@ -638,8 +639,6 @@ in

    services.openssh.extraConfig = mkOrder 0
      ''
-        UsePAM yes
-
        Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner}

        AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
--- a/nixos/tests/openssh.nix
+++ b/nixos/tests/openssh.nix
@ -108,6 +108,23 @@ in {
        };
      };

+    server-no-pam =
+      { pkgs, ... }:
+      {
+        programs.ssh.package = pkgs.opensshPackages.openssh.override {
+          withPAM = false;
+        };
+        services.openssh = {
+          enable = true;
+          settings = {
+            UsePAM = false;
+          };
+        };
+        users.users.root.openssh.authorizedKeys.keys = [
+          snakeOilPublicKey
+        ];
+      };
+
    client =
      { ... }: {
        virtualisation.vlans = [ 1 2 ];
@ -122,6 +139,7 @@ in {
    server_allowed_users.wait_for_unit("sshd", timeout=30)
    server_localhost_only.wait_for_unit("sshd", timeout=30)
    server_match_rule.wait_for_unit("sshd", timeout=30)
+    server_no_pam.wait_for_unit("sshd", timeout=30)

    server_lazy.wait_for_unit("sshd.socket", timeout=30)
    server_localhost_only_lazy.wait_for_unit("sshd.socket", timeout=30)
@ -211,5 +229,15 @@ in {
            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil carol@server-allowed-users true",
            timeout=30
        )
+
+    with subtest("no-pam"):
+        client.succeed(
+            "cat ${snakeOilPrivateKey} > privkey.snakeoil"
+        )
+        client.succeed("chmod 600 privkey.snakeoil")
+        client.succeed(
+            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-no-pam true",
+            timeout=30
+        )
  '';
 })